Network switches and other network units preferably include systems for detecting undesirable groups of characters, hereinafter termed ‘signatures’ which may occur in packets received by the switch or other unit. It is known to establish and maintain a ‘signature database’ i.e. a listing of all the known signatures which may represent a threat to the unit or network. Such a database is used in conjunction with a compiler to define a DFA which is used to detect the signatures. More particularly, a DFA is a state machine which comprises a multiplicity of different states and possible transitions between states. A signature is represented in the DFA by a particular sequence of states. For each state there is a determination whether a currently received character (e.g. a character currently read from an input FIFO) allows a transition to another state; if the input character does not allow a transition to a non-default state the state machine reverts to a default state. One example of a state machine of this character is described hereinafter.
A substantial benefit of employing a DFA for the detection of signatures is that a very large number of long signatures can be efficiently stored as a state machine and the machine at any time needs only to examine a current character to determine the next state of the machine.
However, a known phenomenon in pattern matching of signatures is that of ‘false positives’. For example a signature which represents a threat in packet conforming to UDP (User Datagram Protocol) does not necessarily represent a threat in traffic which does not conform to UDP; such traffic may be packets that conform instead to TCP (Transport Control Protocol) or other protocols such as ICMP (Internet Control Message Protocol). Current methods that use a single DFA for all the signatures do not take into account the flow-type or other parameters and so return many false positives. All alerts raised have to be further processed to eliminate those not associated with the traffic flow under scrutiny. The main problem associated with the generation of false positives is the burden it places on a final processing stage, such a post-processor in a network switch. The generation of false positive reduces the capacity of such a post-processor, which in general has to execute or cause the final forwarding process for every packet through the switch. Furthermore, if large numbers of false positives are generated, it is possible that, owing to processing rate limitations, real security threats may not be detected.
The technique described below provides a mechanism by which the number of false positives can be dramatically reduced.